Seminar on

Intrusion

Detection

System

TOPICS:

Introduction of IDS Technologies Detection types

INTRODUCTIONWhat is IDS?HistoryNeed of IDSClassification of IDS

WHAT IS IDS?Revolution in networkingThe possibilities and opportunities are limitless.

Unfortunately, so too are the risks and chances of malicious activities.

Intrusion=Illegal entry or unwelcome addition

Definition: Intrusion Detection System (IDS) is a software to determine if a computer network or server has experienced an unauthorized intrusion.

IDS detects these intrusion attempts so that action may be taken to repair the damage later.

IDS monitors network traffic and monitors for suspicious activity and alerts the system or network administrator.

THE BEGINNING(HISTORY)

A USAF paper published in October 1972 written by James P. Anderson outlined the fact the USAF had “become increasingly aware of computer security problems.”

Before designing an IDS, it was necessary to understand the types of threats and attacks that could be mounted against computers systems.

A computer system should provide confidentiality, integrity and assurance against denial of service.

Confidentiality: Whether the information stored on a system is protected against unauthorized access.

NEED OF IDS

Integrity: Whether the information stored on a system is reliable and can be trusted.

Increased connectivity: (especially on the Internet)

more and more systems are subject to attack by intruders.

 

These intruders attempts try to exploit flaws in the OS as well as in application programs and have resulted in spectacular incidents.

Internet Worm incident of 1988.

TWO WAYS TO HANDLE

By building a completely

secure system.

• Require all users to identify and authenticate themselves

Protect data

• Cryptographic methods and very tight access control mechanisms

we cannot prevent intruders,we should at least try to detect it and prevent similar attacks in future.

TYPES OF INTRUDERSIntruders

INTERNAL

MASQUERADE

CLANDESTINE

EXTERNAL

TASKS TO BE PERFORMED

Prevention

Intrusion monitoring

Intrusion detection

Response

Simulation

Analysis

Notification

TECHNOLOGIES:

Network IDS

Host IDS

NETWORK INTRUSION DETECTION SYSTEMDetect attacks as they happen

Real-time monitoring of networks

Provide information about attacks that have succeeded

Forensic analysis

Deploying sensors at strategic locations E.G., Packet sniffing via tcpdump at

routersInspecting network traffic

Watch for violations of protocols and unusual connection patterns

Monitoring user activities Look into the data portions of the

packets for malicious command sequences

May be easily defeated by encryptionData portions and some header information can be encrypted

The decryption engine still there.

RELATED TOOLS FOR NETWORK IDS While not an element of Snort,

Ethereal is the best open source GUI-based packet viewer

www.ethereal.com offers: Windows UNIX, e.g.,

www.ethereal.com/download.html Red Hat Linux RPMs:

ftp.ethereal.com/pub/ethereal/rpms

REQUIREMENTS OF NIDSHigh-speed, large volume

monitoring No packet filter drops

Real-time notificationMechanism separate from policyExtensibleBroad detection coverageEconomy in resource usageResilience to stressResilience to attacks upon the IDS

itself!

HOST INTRUSION DETECTION SYSTEMUsing OS auditing mechanisms

E.G., BSM on Solaris: logs all direct or indirect events generated by a user

strace for system calls made by a program

Monitoring user activities E.G., Analyze shell commands

Monitoring executions of system programs E.G., Analyze system calls made by sendmail

A HIDS can see more than just network traffic and can make decisions based on local settings, settings specific to an OS, and log data.

Detection types

Signature based Anomaly based

SIGNATURE BASED IDSSniff traffic on networkborder router or multiple sensors

within a LANMatch sniffed tracffic with signaturesattack signatures in databaseSignature: set of rules pertaining to

a typical intrusion activity Simple example rule: any ICMP

packet > 10,000 bytes Example: more than one thousand

SYN packets to different ports on same host under a second

skilled security engineers research known attacks; put them in database

can configure IDS to exclude certain signatures; can modify signature parameters

Warn administrator when signature matches.

send e-mail, SMSsend message to network management system

LIMITATIONS TO SIGNATURE DETECTIONRequires previous knowledge of

attack to generate accurate signature Blind to unknown attacks

Signature bases are getting larger Every packet must be compared

with each signature IDS can get overwhelmed with

processing; can miss packets

ANOMALY DETECTION IDS Observe traffic during normal operation Create normal traffic profile Look for packet streams that are

statistically unusual e.g., inordinate percentage of ICMP

packet or exponential growth in port

scans/sweeps Doesn’t rely on having previous

knowledge of attack Research topic in security